💣

SolarWinds Security Incident

30/10/2023 693 days ago Resolved

Incident Overview

Situation Description

The SEC filed a complaint against SolarWinds and its CISO for allegedly misleading statements in SEC filings regarding cybersecurity risks, leading to a stock drop after the SUNBURST attack.

Event Types

Regulatory Enforcement Malware / Destructive Attack

Industry Sector

Technology

Geographic Scope

nan

Response Actions

Managed Public Narrative & Crisis Communications Revised Incident Response Plan

Impact Analysis

Event Types (2 identified)

Regulatory Enforcement Malware / Destructive Attack

Financial Impact

$0 USD

Records Affected

Data Types Compromised

Operational / System Data

Primary Impacts

Reputational Damage Legal/Regulatory Penalties Operational Disruption

Key Decisions Made

The SEC charged SolarWinds and its CISO with fraud for making misleading statements about cybersecurity risks in SEC filings.; CISOs must ensure public disclosures align with internal realities and are based on a thorough understanding of the company's cybersecurity posture.; Boards must ensure that internal cybersecurity weaknesses are promptly addressed and that vulnerabilities are timely raised to disclosure counsel.

Technical Analysis

Attack Method

Unpatched Vulnerability

Vulnerability / Tool

SUNBURST

Additional Information

Key Points SolarWinds and its chief information security officer were charged with fraud for making allegedly misleading statements in SEC filings related to known cybersecurity risks. CISOs, particularly those with SEC certification duties, need to be mindful of their internal communications, as compared to SEC and other public disclosures; ensure adequate policies and procedures are in place; and promptly escalate any potential reporting concerns to enable informed decision-making by senior management. Boards should be mindful of the need to maintain rigorous and transparent disclosure practices, ensuring that known vulnerabilities and prior security incidents are accurately reflected in public disclosures to prevent potential enforcement exposure. Summary of Complaint On October 30, 2023, the SEC filed a litigated complaint against SolarWinds, a software development company, and Timothy Brown, its chief information security officer (CISO). The SEC alleges that from October 2018, when SolarWinds went public, to January 2021, SolarWinds and Brown made materially misleading statements and omissions about the companys cybersecurity practices and risks in public disclosures, which the SEC claims ultimately led to a drop in SolarWinds stock following the later disclosure of a large-scale cybersecurity attack known as SUNBURST. Specifically, the complaint alleges that SolarWinds and Brown inaccurately claimed on a website security statement that the company followed cybersecurity standards like the National Institute of Standards and Technology Cybersecurity Framework (NIST framework), used Secure Development Lifecycle (SDL) practices, enforced strong password policies and maintained adequate access controls. Further, the SEC alleges that SolarWindss periodic filings included generic and hypothetical cybersecurity risk statements that failed to address known risks. Finally, the SEC alleges that, at the time of drafting the Form 8-K filed on December 14, 2020,...

... (truncated for display)

Quick Facts

Company:: SolarWinds
Date:: 30/10/2023
Status:: Resolved
Decision Maker:: SEC
Position:: nan
Published:: 3/11/2023

Source Information

Original Query

Director and Officer (D&O) insurance premium trends after SEC cyber disclosure rules

View Original Source

Timeline

Information Published

3/11/2023

Incident Occurred

30/10/2023 (693 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats